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Abstract 

We consider the problem of hiding sender and receiver of classical and quantum bits (qubits), 
even if all physical transmissions can be monitored. We present a quantum protocol for sending 
and receiving classical bits anonymously, which is completely traceless: it successfully prevents 
later reconstruction of the sender. We show that this is not possible classically. It appears that 
entangled quantum states are uniquely suited for traceless anonymous transmissions. We then 
extend this protocol to send and receive qubits anonymously. In the process we introduce a new 
primitive called anonymous entanglement, which may be useful in other contexts as well. 

1 Introduction 

In most cryptographic applications, we are interested in ensuring the secrecy of data. Sender 
and receiver know each other, but are trying to protect their data exchange from prying eyes. 
Anonymity, however, is the secrecy of identity. Primitives to hide the sender and receiver of a 
transmission have received considerable attention in classical computing. Such primitives allow 
any member of a group to send and receive data anonymously, even if all transmissions can be 
monitored. They play an important role in protocols for electronic auctions j32j . voting protocols 
and sending anonymous email Other applications allow users to access the Internet without 
revealing their own identity [30], ^1] or, in combination with private information retrieval, provide 
anonymous publishing Finally, an anonymous channel which is completely immune to any 

active attacks, would be a powerful primitive. It has been shown how two parties can use such a 
channel to perform key-exchange 



1.1 Previous Work 

A considerable number of classical schemes have been suggested for anonymous transmissions. 
An unconditionally secure classical protocol was introduced by Chaum in the context of the 
Dining Cryptographers Problem. Since this protocol served as an inspiration for this paper, we 
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briefly review it here. A group of cryptograpliers is assembled in their favorite restaurant. They 
have already made arrangements with the waiter to pay anonymously, however they are rather 
anxious to learn whether one of them is paying the bill, or whether perhaps an outside party such 
as the NSA acts as their benefactor. To resolve this question, they all secretly flip a coin with 
each of their neighbours behind the menu and add the outcomes modulo two. If one of them paid, 
he inverts the outcome of the sum. They all loudly announce the result of their computation at 
the table. All players can now compute the total sum of all announcements which equals zero if 
and only if the NSA pays. This protocol thus allows anonymous transmission of one bit indicating 
payment. A network based on this protocol is also referred to as a DC-net. Small scale practical 
implementations of this protocol are known Boykin [Jj considered a quantum protocol to send 
classical information anonymously where the players distribute and test pairwise shared EPR pairs, 
which they then use to obtain key bits. His protocol is secure in the presence of noise or attacks 
on the quantum channel. Other anonymity related work was done by Miiller-Quade and Imai 
in the form of anonymous oblivious transfer. 

In practice, two other approaches are used, which do not aim for unconditional security: First, 
there are protocols which employ a trusted third party. This takes the form of a trusted proxy 
server (Hj, [22j, forwarding messages while masking the identity of the original sender. Secondly, 
there are computationally secure protocols using a chain of forwarding servers. Most notably, these 
are protocols based on so-called mixing techniques introduced by Chaum ^01 ) such as Webmixes 
and ISDN-Mixes ,27,. Here messages are passed through a number of proxies which reorder the 
messages; hence the name MixNet. The goal of this reordering is to ensure an observer cannot 
match in- and outgoing messages and thus cannot track specific messages on their way through 
the network. Public Key Encryption is then used between the user and the different forwarding 
servers to hide the contents of a message. Several implemented systems, such as Mixmaster ,24 , 
PipeNet Onion Routing 33 and Tor jl61l35j employ layered encryption: the user successively 
encrypts the message with the public keys of all forwarding servers in the chain. Each server then 
"peels off" one layer, by decrypting the received data with its own secret key, to determine the next 
hop to pass the message to. The Crowds IHO] system takes another approach. Here each player acts 
as a forwarding server himself. He either sends the message directly to the destination, or passes it 
on to another forwarding server with a certain probability. The aim is to make any sender within the 
group appear equally probable for an observer. Various other protocols using forwarding techniques 
are known. Since our focus lies on unconditionally secure protocols, we restrict ourselves to this 
brief introduction. More information can be found in the papers by Goldberg and Wagner 
and in the PhD thesis of Martin Chapter 2 and 3] . 

Note that a DC-net computes the parity of the players inputs. Sending classical information 
anonymously can thus be achieved using secure multi-party computation which has received consid- 
erable attention classically [20], ^2j. Quantum secure multi-party computation has been considered 
for the case that the players hold quantum inputs and each player receives part of the output ^S] • 
Our protocol for sending qubits anonymously does not form an instance of general quantum secure 
multi-party computation, as we only require the receiver to obtain the qubit sent. Other players 
do not share part of this state. Instead, the receiver of the state should remain hidden. 

1.2 Contribution 

Here we introduce quantum protocols to send and receive classical and quantum bits anonymously. 
We first consider a protocol that allows n players to send and receive one bit of classical information 
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anonymously using one shared entangled state 1^-) = (|0)®" + |l)®")/\/2 and n uses of a broadcast 
channel. Given these resources, the protocol is secure against collusions of up to n — 2 players: the 
collaborators cannot learn anything more by working together and pooling their resources. 

The most notable property of our protocol for anonymous transmissions of classical data is that 
it is traceless as defined in Section 12.11 This is related to the notion of incoercibility in secure- multi 
party protocols [Hj. Informally, a protocol is incoercible, if a player cannot be forced to reveal his 
true input at the end of the protocol. When forced to give up his input, output and randomness 
used during the course of the protocol, a player is able to generate fake input and randomness 
instead, that is consistent with the public transcript of communication. He can thus always deny 
his original input. This is of particular interest in secret voting to prevent vote-buying. Other 
examples include computation in the presence of an authority, such as the mafia, an employer or 
the government, that may turn coercive at a later point in time. In our case, incoercibility means 
that a player can always deny having sent. A protocol that is traceless, is also incoercible. However, 
a traceless protocol does not even require the player to generate any fake randomness. A sender 
can freely supply a fake input along with the true randomness used during the protocol without 
giving away his identity, i.e. his role as a sender during the protocol. This can be of interest in the 
case that the sender has no control over which randomness to give away. Imagine for example a 
burglar sneaking in at night to obtain a hard disk containing all randomness or the sudden seizure 
of a voting machine. As we show, the property traceless of our protocol contrasts with all classical 
protocols and provides another example of a property that cannot be achieved classically. The 
protocols suggested in are not traceless, can, however, be modified to exhibit this property. 

Clearly, in 2005 the group of dinner guests is no longer content to send only classical bits, but 
would also like to send qubits anonymously. We first use our protocol to allow two anonymous 
parties to establish a shared EPR pair. Finally, we use this form of anonymous entanglement to 
hide the sender and receiver of an arbitrary qubit. These protocols use the same resource of shared 
entangled states l^*) and a broadcast channel. 

1.3 Outline 

Section |21 states the resources used in the protocol, necessary definitions and a description of the 
model. In Section 12.21 we derive limitations on classical protocols. Section 13.21 then presents a 
quantum protocol for sending classical bits anonymously. Section [3 . 41 deals with the case of sending 
qubits anonymously and defines the notion of anonymous entanglement. Multiple simultaneous 
senders are considered in Section |2 

2 Preliminaries 

2.1 Definitions and Model 

We will consider protocols among a set of n players who are consecutively numbered. The players 
may assume a distinct role in a particular run of the protocol. In particular, some players might 
be senders and others receivers of data items. In our case, a data item d will be a single bit or 
a qubit. We use the verb send to denote transmission of a data item via the anonymous channel 
and transmit to denote transmission of a message (here classical bits) via the underlying classical 
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message passing network^ or via the broadcast channel given in Definitional 

Anonymity is the secrecy of identity. Looking at data transmissions in particular, this means 
that a sender stays anonymous, if no one can determine his identity within the set of possible 
senders. In particular, the receiver himself should not learn the sender's identity either. Likewise, 
we define anonymity for the receiver. In all cases that we consider below, the possible set of senders 
coincides with the possible set of receivers. The goal of an adversary is to determine the identity 
of the sender and/or receiver. To this end he can choose to corrupt one or more players: this 
means he can take complete control over such players and their actions. Here, we only consider a 
non-adaptive adversary, who chooses the set of players to corrupt before the start of the protocol. 
In addition, the adversary is allowed to monitor all physical transmissions: he can follow the path of 
all messages, reading them as desired. Contrary to established literature, we here give the adversary 
one extra ability: After completion of the protocol, the adversary may hijack any number of players. 
This means that he can break into the system of a hijacked player and learn all randomness this 
player used during the protocol. However, he does not learn the data item d or the role this player 
played during the protocol. In a DC-net, for example, the randomness are the coin fiips performed 
between two players. The adversary may then try to use this additional information to determine 
the identity of the sender and/or receiver. We return to the concept of hijacking in Section l2.ll 
In this paper, we are only interested in unconditional security and thus consider an unbounded 
adversary. We call a player malicious if he is corrupted by the adversary. A malicious player may 
deviate from the protocol by sending alternate messages. We call a player honest, if he is not 
corrupted and follows the protocol. If t > 1 players are corrupted, we also speak of a collusion of t 
players. 

Let V denote the set of all players. Without loss of generality, a protocol is a sequence of k 
rounds, where in each round the players, one after another, transmit one message. We use Cjm 
to denote the message transmitted by player m in round j. The total communication during the 
protocol is thus given by the sequence C = {cjm}j=i m=i iT-k messages. Note that we do not 
indicate the receiver of the messages. At the beginning of the protocol, the players may have access 
to private randomness and shared randomness among all players, or a subset of players. In addition, 
each player may generate local private randomness during the course of the protocol. We use gjm 
to denote the random string held by player m in round j. A player cannot later delete gjm- Let 
Gm = {9jm}j=i be the combined randomness held by player m. Similarly, we use G = {Gm}m=i 
to denote the combined randomness held by all players. Note that the data item d player m wants 
to send and his role in the protocol (sender /receiver /none) are excluded from Gm- In the following 
definitions, we exclude the trivial case where the sender or receiver are known beforehand, and 
where the sender is simultaneously the receiver. 

It is intuitive that a protocol preserves the anonymity of a sender, if the communication does 
not change the a priori uncertainty about the identity of the sender. Formally: 

Definition 1 A k-round protocol P allows a sender s to he anonymous, if for the adversary who 
corrupts t < n — 2 players 

maxProbfS" = s\G^,C] = maxProbfS' = si = 

S ^ ' ' ^ S ^ ' n-t 

where the first maximum is taken over all random variables S which depend only on the sequence of 
all messages, C , and on the set of randomness held by the corrupted players, G* = {Gm}meE- Here, 
network of pairwise communication channels between the players. 
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E C V^Vfs} is the set of players corrupted by the adversary; to exclude the trivial case where the 
sender s himself is corrupted by the adversary. A protocol P that allows a sender to be anonymous 
achieves sender anonymity. 

Similarly, we define the anonymity of a receiver: 

Definition 2 A k-round protocol P allows a receiver r to be anonymous, if for the adversary who 
corrupts t < n — 2 players 



where the first maximum is taken over all random variables R which depend only on the sequence 
of all messages, C , and on the set of randomness held by the corrupted players, G* = {Gm}m&E- 
Here, E C ^Vj?"} is the set of players corrupted by the adversary; to exclude the trivial case where 
the receiver r himself is corrupted by the adversary. A protocol P that permits a receiver to be 
anonymous achieves receiver anonymity. 

Note that protocols to hide the sender and receiver may not protect the data item sent. In particular 
there could be more players receiving the data item, even though there is only one receiver, which 
is determined before the protocol starts. The definition implies that the data sent via the protocol 
does not carry any compromising information itself. 

All known protocols for sender and receiver anonymity achieving information theoretic security 
need a reliable broadcast channel ^7j. We will also make use of this primitive: 

Definition 3 (FGMR |17j ) A protocol among n players such that one distinct player s (the 
sender) holds an input value Xs £ L (for some finite domain L) and all players eventually de- 
cide on an output value in L is said to achieve broadcast ( or Byzantine Agreement ) if the protocol 
guarantees that all honest players decide on the same output value y £ L, and that y = Xg whenever 
the sender is honest. 

Informally, we say that a protocol is traceless, if it remains secure even if we make all resources 
available to an adversary at the end of the protocol. Consider for example the DC-net protocol 
discussed earlier. Imagine a curious burglar sneaking into the restaurant at night to gather all coin 
flips our group of cryptographers performed earlier on from the tapes of the security cameras. A 
protocol is traceless, if it can withstand this form of attack. 

We model this type of attack by granting the adversary one additional ability. After completion 
of the protocol, we allow the adversary to hijack any number of players. If an adversary hijacks 
player m, he breaks into the system and learns all randomness Gm used by this player. In this 
paper, we allow the adversary to hijack all players after completion of the protocol. The adversary 
then learns all randomness used by the players, G. Nevertheless, we want him to remain ignorant 
about the identity of the sender and receiver. Formally, 

Definition 4 A k-round protocol P with sender s which achieves sender anon-ymity is sender 
traceless, if for the adversary who corrupts any t < n — 2 players and, after completion of the 
protocol, hijacks all players 



maxProb[i? = r\G\G] 



maxProb[ii = r] 
R 



1 



n — t 



maxProb[5' = s|G, C] 



maxProb[5 = si 
s 



1 



n — t 
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where the first maximum is taken over all random variables S which depend only on the sequence 
of all messages, C, and on the set of randomness held by all players, G. 

Likewise, change of sender s with receiver r, we define the property traceless for receiver anony- 
mous protocols. Recall that G and G do not contain the data item d that was sent or the roles the 
players assumed during the course of the protocol. 

2.2 Limitations on Traceless Protocols 

Intuitively, we cannot hope to construct a classical protocol which is traceless and at the same time 
allows the receiver to learn what was sent: The only way data d can be send classically is by trans- 
mitting messages over the underlying network. If, however, an adversary has all information except 
the player's input and all communication is public, he can simply check the messages transmitted 
by each player to see if they "contain" d. 

Theorem 1 Let P be a classical protocol with one sender and one receiver such that for all data 
items d & D with > 2 the following holds: the sender of d stays anonymous and the receiver 
knows d at the end of the protocol. Then P is not sender traceless. 

Proof. Let us assume by contradiction that the protocol is traceless. Without loss of generality, 
a player who is not the sender has input do & D to the protocol. Let d e D he the data item that 
the sender s wants to send. We assume that all but one players are honest during the run of the 
protocol. We would like to emphasize that the only information that is not written down, is in fact 
the data item d of the sender. 

The adversary corrupts one player. After completion of the protocol, he hijacks all players. He 
thus has access to all randomness and communication. Since a traceless protocol must resist the 
corruption of any player, it must also resist the corruption of the receiver. We therefore assume for 
the remainder of the proof that the adversary corrupts the receiver. 

Let us consider step j in the protocol, where player m has total information gj^ and sends 
communication Cjm- Note that Cjm niay only depend on the previous communication, gjm, j, the 
number m and the role of the player m, i.e. whether m is sender, receiver or neither of them. If 
m = s, then the communication may also depend on d. Since the adversary has corrupted the 
receiver, and since there is only one receiver, the adversary knows that m is either a normal player 
or the sender. Note that since the adversary corrupted the receiver, he also knows the value of d. 

After the protocol, the adversary, having access to G and C, can now calculate the messages 
that player m should have sent in round j depending on whether 

1. m was not sender or receiver, or, 

2. m was the sender and sent item d. 

The messages are calculated as follows: In case 1, the adversary simulates the actions of player 
m as if m was neither sender nor receiver. This is possible, since the adversary has access to all 
randomness and all communication. In case 2, the adversary simulates the actions of m as if m was 
the sender and sent data item d. Let {fjm}ji{fjm}j denote the set of messages resulting from the 
simulations of cases 1 and 2 respectively. The adversary now checks whether the set of observed 
messages {cjm}j = {fjm}j o^" {^jm}j = {fjm}j- ^^^^ equality holds he concludes that s ^ m, 

and for the second that s = m. 
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By assumption, the protocol is traceless for all d. Thus, the message computed for case 2) must 
be identical to the message computed for case 1) for all d, since otherwise the adversary could 
determine the sender s. This must hold for all steps j. But in this case the strategy the sender 
follows must be the same for both d = do and d ^ do. Hence it cannot have been possible for r to 
have obtained the value of d in the first place and we have a contradiction to the assumption that 
the protocol achieves a transfer for all elements of a set D with \D\ > 2. □ 
Note that we make the assumption that there is exactly one receiver which is determined before 

the start of the protocol. Other players might still obtain the data item, as this is not a statement 
about the security of the message but merely about anonymity. 

2.3 Limitations on Shared Randomness 

In this section, we take a look at how many privately shared random bits are needed in order 
to perform anonymous transmissions. We thereby only consider unconditionally secure classical 
protocols based on privately shared random bits, such as for example the DC-net. In the following, 
we will view the players as nodes in an undirected graph. The notions of "nodes in a key-sharing 
graph" and "players" are used interchangeably. Similarly, edges, keys and private shared random 
bits are the same. Again, regard the broadcast channel as an abstract resource. 

Definition 5 The undirected graph G = (V, E) is called the key-sharing graph if each node in V 
represents exactly one of the players and there is an edge between two nodes i and j if and only if 
i and j share one bit of key rij. 

We first note that for any protocol P that achieves sender anonymity, where the only resource 
used by the n participating players is pairwise shared keys, a broadcast channel and public com- 
munication, the form of the key-sharing graph G = {V, E) is important: 

Lemma 1 In any protocol P to achieve sender anonymity among n players, where the only resource 
available to the players is pairwise shared keys, a broadcast channel and public communication, a 
collusion oft players can break the sender's anonymity, if the corresponding collection oft nodes 
partitions the key-sharing graph G = {V,E). 

Proof, t colluding nodes divide the key-sharing graph into s disjoint sets of nodes {Si, . . . , Sg}- 
Note that there is no edge connecting any of these sets, thus these sets do not share any keys. Now 
suppose that sender anonymity is still possible. Let ki £ Si and kj G Sj with i ^ j he two nodes 
in different parts of the graph. Using a protocol achieving sender anonymity it is now possible to 
establish a secret bit between ki and kj Nodes i and j each generate n random bits: rj, . . . ,rf 
and rj, . . . ,r". Node i now announces n data of the form: "Bit bk is r^" for 1 < k < n using the 
protocol for sender anonymity. Likewise, node j announces "Bit b^ is r^" for 1 < A; < n. Nodes 
i and j now discard all bits for which rf = r^ and use the remaining bits as a key. Note that an 
adversary can only learn whether bk = rf or bk = r^ if the two announcements are the same. If 
rf rj, the adversary does not learn who has which bit. 

However, there is no channel between Si and Sj that is not monitored by the colluding players. 
Thus, it cannot be possible to establish a secret bit between ki and kj, since the only communication 
allowed is classical and public jSE]- This establishes the contradiction and shows that the sender's 
anonymity can be broken if the graph can be partitioned. □ 
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Furthermore, note that each player j needs to share one bit of key with at least two other players. 

Otherwise, his anonymity can be compromised. We can phrase this in terms of the key-sharing 
graph as 

Corollary 1 Each node j ^ V of the key-sharing graph G = {V,E), used by a protocol P for 
anonymous transmissions, where the only resource available to the n players is pairwise shared 
keys, a broadcast channel and public communication, must have degree d >2. 

Proof. Suppose on the contrary, that an arbitrary node j has degree 1: it has only one outgoing 
edge to another node k. Clearly, node k can partition the key-sharing graph into two disjoint sets 
Si = {j} and S2 = V \ {j, k}. By Lemma^ node k can break j's anonymity. □ 



Corollary 2 Any protocol P that achieves sender anonymity, where no players collude and the 
only resource available to the n players is pairwise shared keys, a broadcast channel and public 
communication, needs at least n bits of pairwise shared keys. 

Proof. Consider again the key-sharing graph G = {V,E). Suppose on the contrary, that only 
k < n bits of shared keys are used. Then there must be at least one node of degree 1 in the graph. 
Thus, by Corollary ^ at most n bits of shared keys are necessary. □ 



Corollary 3 Any protocol P that achieves sender anonymity and is resistant against collusions of 
t < n — 1 players, where the only resources available to the n players are pairwise shared keys, a 
broadcast channel and public communication, needs at least n{n— l)/2 bits of pairwise shared keys. 

Proof. Again consider the key-sharing graph G. Suppose on the contrary, that only k < n{n— 1) /2 
bits of shared keys are used. However, then there are only k < n{n — l)/2 edges in a graph of n 
nodes. Then G is not fully connected and there is a set of t = n — 2 colluding nodes which can 
partition the key-sharing graph. By Lemma ^ they can then break the sender's anonymity. Thus 
n(n — l)/2 bits of pairwise shared key are necessary to tolerate up to i < n — 1 colluding players. 
□ 



2.4 Quantum Resources 

We assume familiarity with the quantum model j^H]- The fundamental resource used in our proto- 
cols are n-party shared entangled states of the form 

i^) = i=(io") + in)^-^(io)«'^ + ii)^"). 

These are commonly known as generalized GHZ states |21| . By "shared" we mean that each of 
the n players holds exactly one qubit of l^*). They could have obtained these states at an earlier 
meeting or distribute and test them later on. 
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The key observation used in our protocols is tlie fact that pliase flips and rotations applied 
by the individual players have the same effect on the global state no matter who applied them. 
Consider for example the phase flip defined by 



If player number i applies this transformation to his state, the global transformation is Ui = 
<S> /®("~*), where I is the identity transform. We now have Vi G {1, . . . , n} : Ui\^) = 
(|0") — |1"))/a/2. Note that this transformation takes place "instantaneously" and no communica- 
tion is necessary. 

3 Traceless Quantum Protocols 

3.1 Model 

To obtain traceless anonymous transmissions we allow the players to have access to a generalized 
GHZ state. We assume that the n players have access to the following resources: 

1. ra-qubit shared entangled states 1^*) = (|0'*) + \l"'))/y/2 on which the players can perform 
arbitrary measurements. 

2. A reliable broadcast channel. 

3.2 Sending Classical Bits 

To start with, we present a protocol to send a classical bit b anonymously, if the n players share 
an n-qubit entangled state l^'). For now, we assume that only one person wants to send in each 
round of the protocol and deal with the case of multiple senders later on. We require our protocol 
to have the following properties: 

1. (Correctness) If all players are honest, they receive the data item d that was sent by the 
sender. If some players are malicious, the protocol aborts or all honest players receive the 
same data item d, not necessarily equal to d. 

2. (Anonymity) If up to i < n — 2 players are malicious, the sender and receiver stay anonymous. 

3. (Tracelessness) The protocol is sender and receiver traceless. 

3.2.1 Protocol 

Let's return to the original dinner table scenario described earlier. Suppose Alice, one of the dinner 
guests, wishes to send a bit d G D = {0, 1} anonymously. For this she uses the following protocol: 
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Protocol 1: ANON((i) 

Prerequisite: Shared state (|0") + |1"))/V2 

1: Alice applies a phase flip cr^ to her part of the state if d = 1 and does nothing otherwise. 

2: Each player (incl. Alice): 

- Applies a Hadamard transform to his/her qubit. 

- Measures his/her qubit in the computational basis. 

- Broadcasts his/her measurement result. 

- Counts the total number of I's, k, in the n measurement outcomes. 

- If /c is even, he/she concludes d = 0, otherwise d = I. 

3: The protocol aborts if one of more players do not use the broadcast channel. 



3.2.2 Correctness 

First of all, suppose all parties are honest. Since Alice applies the phase flip az depending on the 
value of the bit d she wishes to send, the players obtain the state dO") + |l"))/-\/2 if d = and 
dO") — |l"'))/\/2 if d = 1. By tracing out the other players' part of the state, we can see that no 
player can determine on his own whether the phase of the global state has changed. We therefore 
require the players to first apply a Hadamard transform H to their qubit. This changes the global 
state such that we get a superposition of all strings x G {0, 1}" with an even number of I's for no 
phase flip and an odd number of I's if a phase flip has been applied: 

^ \xG{0,l}" xe{0,l}" J 

where |x| denotes the Hamming weight of the string x. Thus we expect an even number of I's 
if c? = and an odd number of I's if d = 1. The players now measure their part of the state 
and announce the outcome. This allows each player to compute the number of I's in the global 
outcome, and thus d. If more than one player had applied a phase flip, ANON computes the parity 
of the players inputs. Broadcasting all measurement results needs n uses of a broadcast channel. 

Now suppose that some of the players are malicious. Recall that we assume that the players 
use a reliable broadcast channel. This ensures an honest player obtains the same value for the 
announcement. Thus two honest parties will never compute a different value for the sent data item 
d. Further, note that it may always be possible that one or more malicious players do not use the 
broadcast channel. This consequently results in an abort of the protocol. We conclude that the 
correctness condition is satisfied. 
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3.2.3 Anonymity 

As we noticed in Section [21 the resulting global state is independent of the identity of the person 
applying the phase flip. Since a phase flip is applied locally, no transmissions are necessary to change 
the global state. Subsequent transmissions are only dependent on the global state. Since this global 
state is invariant under an arbitrary permutation of the honest players and since the communication 
of the individual players depends only on their part of the states, the total communication during 
a run of the protocol P where player m sends d, is independent of the role of the player. If the 
sender is not one of the colluding players, then for the set of colluding players, all other players are 
equally likely to be sender. This is precisely the definition of sender anonymity. A receiver may be 
specified. His anonymity is then given directly as every player obtains the bit sent. 

Note that a player deviating from the protocol by inverting his measurement outcome or apply- 
ing a phase flip himself will only alter the outcome, but not learn the identity of the sender. The 
same discussion holds when the protocols is executed multiple times in succession or parallel. 

3.2.4 Tracelessness 

The most interesting property of our quantum protocol is that it is completely traceless: The 
classical communication during the protocol is solely dependent on the global state, which is the 
same no matter who the sender is. This means that Alice' communication is independent of her 
bit d. The randomness is now determined by the measurement results of the global state, which 
has already been altered according to the players inputs. Thus, the traceless condition is satisfied, 
because there is thus no record of Alice sending. 

We believe that the tracelessness is a very intuitive property of the quantum state, as sending 
d simply changes the overall probability distribution of measurement outcomes instead of the in- 
dividual messages of the sender. Note, however, that if we had first measured the state |^) in the 
Hadamard basis to obtain classical information and then allowed the sender to invert the measured 
bit to send d = 1, our protocol would no longer be traceless. We leave no record of Alice' activity 
in the form of classical information. Alice can later always deny that she performed the phase 
flip. Whereas this is stronger than classical protocols, it also makes our protocol more prone to 
disruptors. Unlike in the classical scenario, we cannot employ mechanisms such as traps suggested 
by Chaum and Waidner and Pfitzmann Li8j , to trace back disruptors. If one of our players 
is determined to disrupt the channel by, for example, always applying a phase flip himself, we are 
not able to find and exclude him from the network. 

3.3 Anonymous Entanglement 

The dinner guests realize that if they could create entanglement with any of the other players 
anonymously, they could teleport a quantum state to that player anonymously as well. We define 
the notion of anonymous entanglement, which may be useful in other scenarios as well: 

Definition 6 If two anonymous players A and B share entanglement, we speak of anonymous 
entanglement (AE). 

Definition 7 If two players A and B share entanglement, where one of them is anonymous, we 
speak of one-sided anonymous entanglement (one-sided AE). 
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It is possible to use shared entanglement together with classical communication to send quantum 
information using quantum teleportation j^. Anonymous entanglement together with a protocol 
providing classical sender anonymity thus forms a virtual channel between two players who do not 
know who is sitting at the other end. This allows for easy sender and receiver anonymity for the 
transmission of qubits. Note that it is also possible to use anonymous entanglement to obtain 
a secure classical anonymous channel. Unlike ANON, this provides security of the data as well. 
Classically, such a virtual channel would have to be emulated by exchanging a key anonymously. 
We require that if all players are honest, the sender and recipient succeed in establishing an EPR 
pair. Furthermore, the protocol should achieve sender and receiver anonymity with regard to the 
two parts of the shared state. If one or more players are dishonest, they may disrupt the protocol. 

3.3.1 Protocol 

We use the same resource of shared states | ^) to establish anonymous entanglement for transmitting 
information by using an idea presented in the context of quantum broadcast |2]. More general 
protocols are certainly possible. For now, we assume that there are exactly two players, sender 
s (Alice) and receiver r (Bob), among the n players interested in sharing an EPR pair. If more 
players are interested, they can use a form of collision detection described later. 



Protocol 2: AE 

Prerequisite: Shared state (|0") + |1"))/V2. 

1: Alice (s) and Bob (r) don't do anything to their part of the state. 
2: Every player j £ V\{s,r} 

- Applies a Hadamard transform to his qubit. 

- Measures this qubit in the computational basis with outcome rrij. 

- Broadcasts mj. 

3: s picks a random bit b £^ {0, 1} and broadcasts b. 

4: s applies a phase flip to her qubit if fe = 1. 

5: r picks a random bit 6' €_r {0, 1} and broadcasts b'. 

6: r applies a phase flip fi^ to his qubit, if 6 © ©jgi/\{s r} "^i ~ ^■ 



3.3.2 Correctness 

The shared state after the n — 2 remaining players applied the Hadamard transform becomes: 
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All players except Alice and Bob measure this state. The state for them is thus (|00)+(-l)l^l |ll))/\/2. 
After Alice's phase flip the system is in state (|00) + (— l)l^l®*|ll))/\/2. The sum of the measure- 
ments results gives |x| = ©jgv'\{s r} "^j- Thus Bob can correct the state to (|00) + |ll))/\/2 as 
desired. 

3.3.3 Anonymity 

The measurement outcomes are random. Thus, the players obtain no information during the 
measurement step. Likewise, the bits broadcast by Alice and Bob are random. Thus both of them 
remain hidden. Note that the protocol is resistant to collusions of up to re — 2 players: The combined 
measurement outcomes still do not carry any information about Alice and Bob. 

3.4 Sending Qubits 

Let's return to the dinner table once more. After they have been dining for hours on end, Bob, the 
waiter, finally shows up and demands that the bill is paid. Alice, one of the dinner guests, is indeed 
willing to pay using her novel quantum coins, however, does not want to reveal this to her colleagues. 
The goal is now to transmit an arbitrary qubit and not mere classical information. As before, we 
ask that our protocol achieves sender and receiver anonymity and is traceless. Furthermore, if all 
players are honest, the receiver should obtain the qubit sent. Note that unlike in the classical case, 
we do not require that all honest players hold the same qubit at the end of the protocol. This 
would contradict the no-cloning property of quantum states. Alice now uses the shared EPR pair 
to send a quantum coin \(f)) to Bob via teleportation j26j . 

Protocol 3: ANONQ(|(/))) 

Prerequisite: Shared states (|0") + |1"))/a/2 

1: The players run AE: Alice and Bob now share an EPR pair: |r) = (|00) + |ll))/\/2 

2: Alice uses the quantum teleportation circuit with input \(j)) and EPR pair |r), and obtains 
measurement outcomes mo,mi. 

3: The players run ANON(rei-o) and ANON(mi) with Alice being the sender. 

4: Bob applies the transformation described by mo,?rei on his part of |r) and obtains 



If all players are honest, after step 1, Alice and Bob share the state |r) = (|00) + |ll))/\/2 
anonymously. The correctness condition is thus satisfied by the correctness of quantum teleporta- 
tion. As discussed earlier, AE and AN0N(6) do not leak any information about Alice or Bob. Since 
no additional information is revealed during the teleportation step, it follows that ANONQ(|i;^)) 
does not leak any information either and our anonymity condition is satisfied. In our example, we 
only wanted Alice to perform her payment anonymously, whereas Bob is known to all players. Our 
protocol also works, however, if Alice does not know the identity of Bob. 
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4 Dealing with multiple senders 

So far, we have assumed that only a single person is sending in any one round. In reality, many 
users may wish to send simultaneously, leading to collisions. A user can easily detect a collision 
if it changes the classical outcome of the transmission. Depending on the application this may be 
sufficient. However, it may be desirable to detect collisions leading to the same outcome. This is 
important if we want to know the value of each of the bits sent and not only their overall parity. 

The simplest way to deal with collisions is for the user to wait a random number of rounds, 
before attempting to resend the bit. This method was suggested by Chaum and is generally 
known as ALOHA [S^j. Unfortunately this approach is rather wasteful, if many players try to 
send simultaneously. Alternatively one could use a reservation map technique based on collision 
detection similar to what was suggested by Pfitzmann et al. For this one uses n applications 
of collision detection (of [logn] + 1 rounds each) to reserve the following n slots. 

We will now present a simple quantum protocol to detect all kinds of collisions, provided that 
no user tries to actively disrupt the protocol. We use the same resource, namely shared entangled 
states 1^'). The important point of this protocol is that it is traceless. 

4.1 Protocol 

Before each round of communication, the n players run a ([logn] + l)-round test to check, whether 
a collision would occur. For this they require [logn] + 1 additional states of the form |^') = 
(|0") + |l"))/\/2- Each state is rotated before the start of the collision detection protocol. Let 



and map the jth. state to \tj) = Uj\^). This could for example be done by a dedicated player or 
be determined upon distribution of the entangled states l^*). 

Protocol 4: Collision Detection 

Prerequisite: [logn] + 1 states j^f) = (|0") + |l"))/\/2 

1: A designated player prepares [logn] + 1 states by rotations: 

For < J < [logn], he applies Rz{—it/2^) to his part of one |^') to create \tj). 

2: In round < j < [logn] each of the n players 



- Applies a Hadamard transform to his part of the state. 

- Measures in the computational basis. 

- Announces his measurement result to all other players. 

- Counts the total number of I's, kj, in the measurement results. 

- If kj is odd, concludes a collision has occurred and the protocol ends. 

3: If all kj are even, exactly 1 player wants to send. 




- Applies Rz{'k/2^) to his part of the state if he wants to send. 
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4.2 Correctness and Privacy 

Let's first take an informal look, wfiy this works. In round j witfi < j < [logn], each user 
who wishes to send applies a rotation described by Rz{tt/2^) to his part of the state. Note that 
if exactly one user tries to send, this simply rotates the global state back to the original state 
1^) — + |l"))/v^- If A: > 1 users try to send, we can detect the collision in round j such that 
k = 2^m + 1 where m G N is odd: First \tj) is rotated back to |^') by the first of the k senders. 
The state is then rotated further by an angle of (vr/2'') • 2^m = mir. But 



applied to |^') gives 1^') = ±ii(|0") - |l"))/\/2, where we can ignore the global phase. The users 
now all apply a Hadamard transform to their part of the state again, measure and broadcast 
their measurement results to all players. As before, they can distinguish between |^') and |^''), by 
counting the number of I's in the outcome. If the number of users who want to send in round j 
is not of the form 2^m + 1, the players may observe an even or odd number of I's. The crucial 
observation is that in [logn] + 1 rounds, the players will obtain \ ^') at least once, if more than one 
user wants to send, which they can detect. If no phase flip has been observed in all rounds of the 
collision detection protocol, the players can be sure there is exactly one sender. The key to this 
part of the protocol is the following simple observation: 

Lemma 2 For any integer 2 < k < n, there exist unique integers m and j, with m odd and 
< j < [log n] , such that k = 2^ m + \. 

Proof. By the fundamental theorem of arithmetic we can write k — 1 = 2^m for unique j, m E N 
where m is odd. We have j < [logn] , since 2 < k < n. Thus k = 2^m + 1. □ 

Corollary 4 [logn] + 1 rounds, using one state (|0") + |l"))/\/2 each, are sufficient to detect 
2 <k <n senders within a group of n players. 

Proof. Using Lemma|2lwe can write k = 2^m + 1 with < j < [logn] . In round j the final state 
win be R^{{2^m) ■ (7r/2-'))|^') = i?^(m7r)|^') = ±i(|0") - |l"))/\/2, which the players can detect. □ 
There exists a classical protocol already suggested by Pfitzmann et al. [HJj using O(n^logn) bits 
of private shared randomness. However, this protocol is not traceless as desired by our protocol. 
Our protocol preserves anonymity and is traceless by the same argument used in Section 122131 

When sending quantum states, collisions are not so easy to detect, since they do not change the 
outcome noticeably. The protocol to establish anonymous entanglement relies on the fact that only 
two players refrain from measuring. We thus require some coordination between the two players. 
Here, we can make use of the same collision detection protocol as we used to send classical bits: 
First run the collision detection protocol to determine the sender. The sender again expresses 
his interest in indicating that he wants to send by employing rotations. Then perform another 
application of collision detection for the receiver. 
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5 Conclusions and Future Work 



We have presented a protocol for achieving anonymous transmissions using shared quantum states 
together with a classical broadcast channel. The main feature of this protocol is that, unlike 
all classical protocols, it prevents later reconstruction of the sender. This indicates that shared 
entangled states are very well suited to achieve anonymity. Perhaps similar techniques could also 
play an important role in other protocols where such a traceless property is desirable. 

Our protocol is a first attempt at providing anonymous transmissions with this particular prop- 
erty. More efficient protocols may be possible. Perhaps a different form of quantum resource gives 
an additional advantage. However, we believe that our protocol is close to optimal for the given 
resources. We have also not considered the possibility of allowing quantum communication between 
the players, which could be required by more efficient protocols. It is also open whether a better 
form of collision detection and protection against malicious disruptors is possible. The states used 
for our collision detection protocol are hard to prepare if n is very large. Furthermore, using shared 
entangled states, it is always possible for a malicious user to measure his qubit in the computational 
basis to make further transmissions impossible. 

So far, we have simply assumed that the players share a certain quantum resource. In reality, 
however, this resource would need to be established before it can be used. This would require 
quantum communication among the players in order to distribute the necessary states and at 
least classical communication for verification purposes. The original DC-net protocol suffers from a 
similar problem with regard to the distribution of shared keys, which is impossible to do from scratch 
using only classical channels j26j . Some quantum states on the other hand have the interesting 
property that the players can create and test the states among themselves, instead of relying on a 
trusted third party. 
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